Nissan Blocking Leaf Smartphone App Due to Security Flaw

Nissan shut down one of its smartphone apps this week after an Australian software developer found that Leaf owners were highly vulnerable to data theft and hackers controlling parts of their cars.

The NissanConnect EV app, which allows Leaf (and e-NV200) owners to check their electric car’s battery status, analyze their driving habits, and activate climate control and battery charging, has been disabled.

Developer Troy Hunt detailed his finds on his website; the problem essentially boil down to Nissan neglecting to use standard authentication. Using a VIN generator to ping available cars, Hunt found he could gain access to the app’s remote functions—switching on his friend’s heated seats in Norway all the way from Australia, as one example—and could view logs of his driving history. Other exploits involve disabling the car’s charging process or repeatedly turning on the air conditioning. While Hunt couldn’t view personal information like names or addresses or pinpoint a car’s exact location, he considered the issue serious enough to report it to Nissan the next day. That was more than a month ago.

Comparing the Leaf flaw to the Jeep Cherokee hacks, Hunt wrote it was “good in that it doesn’t impact the driving controls of the vehicle, yet bad in that the ease of gaining access to vehicle controls in this fashion doesn’t get much easier—it’s profoundly trivial.” Nissan responded quickly, Hunt said, and company spokesman Steve Yaeger told us an updated app would be available soon, although he declined to give a specific date. The app functionality is still available over a regular web browser.

Advertisement - Continue Reading Below

“No other critical driving elements of the Nissan Leaf or eNV200 are affected, and our 200,000-plus LEAF and eNV200 drivers across the world can continue to use their cars safely and with total confidence,” Yaeger wrote. “The only functions that are affected are those controlled via the mobile phone—all of which are still available to be used manually, as with any standard vehicle.”

When asked about the company’s wider-reaching NissanConnect service—which does offer remote unlocking, remote start, vehicle tracking, and other telematics functions—Yaeger did not respond whether Nissan was looking into similar security holes.

Nissan, like Fiat-Chrysler and General Motors before it, has been extremely lucky to run into ethical “white hat” hackers like Hunt, who probe weak computer systems in order that nefarious “black hat” hackers won’t discover them first. But so far, automakers haven’t demonstrated confidence in locking down such complex software, especially those with the power to control a vehicle wirelessly.

“As car manufacturers rush towards joining in on the ‘internet of things’ craze, security cannot be an afterthought nor something we’re told they take seriously after realizing that they didn’t take it seriously enough in the first place,” he said.